Compliance 101: Basics for Security Professionals In today s regulatory environment, businesses can be subject to a number of industry standards and regulations, many of which include substantial penalties for non-compliance. These mandates affect corporate functions far beyond just Compliance, however IT Security in particular. Security professionals whether they re new to their role or have been around since VirusScan was the cutting-edge tool should have a basic understanding of how compliance impacts the organization, including the stakeholders, the standards and regulations to which the business is held, and what needs to be done to ensure continued compliance. Compliance is not voluntary and non-compliance can result in a mandatory business disruption or even stoppage until a compliant state is reestablished. Therefore, it behooves Security pros to understand their role, as well as other implications of compliance, and this eguide aims to help get them started. eguide Compliance 101: Basics for Security Professionals 1
Why Be Concerned About Compliance Compliance with industry standards and regulations has wide-reaching impacts, for both internal and external stakeholders. Organizations dedicate human and financial resources toward compliance for a number of reasons: to avoid liability at the Board and C-level to preserve their corporate reputation to keep their bottom line safe and shareholders happy to avoid the cost of compensating customers when sensitive data is stolen to avoid litigation costs; and to avoid the additional costs associated with increased scrutiny from regulators The consequences of not meeting compliance in the presence of a compromise or a compelling event can have a considerable negative impact on any business, so it s imperative to understand the causes of non-compliance along with the impacts associated with increased liability. eguide Compliance 101: Basics for Security Professionals 2
Compliance Questions to Consider Here are just a few of the questions to consider to help familiarize yourself with the compliance function. It s certainly not an exhaustive list but these items will help you start to understand the scope and impact of compliance on your organization. Is your organization held to any compliance regulations or standards? (The answer is almost certainly yes. ) Some examples include: Sarbanes-Oxley FISMA How does your organization validate and measure its compliance posture and risk to that posture? How does your organization control in-scope assets and collect compliance information? Does your organization use a third-party assessment entity? Who is that entity, and what do they provide to help meet compliance? eguide Compliance 101: Basics for Security Professionals 3
The Compliance Players Nearly every internal stakeholder in the organization is attached in some way to the corporate policy. The following list covers the primary players responsible for creating the core policies that establish the organization s compliance posture. Establishes the tone for risk appetite and risk management and consider risk and security strategy. Establishes the operational strategy for security and risk management in the organization. Sets strategic and tactical roles and responsibilities. Often responsible for approving or denying select IT policy and security budgets and spend. Develops the security policy, and conducts the risk assessments that base the process for vulnerability management, incident management, security awareness and training and Compliance management. Responsible and accountable to deliver the executive policy to the employees. Must ensure and prove compliance with IT policy. eguide Compliance 101: Basics for Security Professionals 4
The Convergence of Security and Compliance While it may not always be apparent, Security and Compliance are counterparts on a path to a shared goal: managing the organization s risk. In this regulatory world, virtually every organization is subject to industry standards and/or regulations, and compliance is becoming one of the greatest challenges faced by IT organizations. Now that observing regulatory compliance audit policies is becoming a requisite for every organization, IT spending, priorities, and policies must be put in place across organizational teams to address the challenge. On top of that operations and security teams have a long list of priorities and pressures to deal with. These days, sensitive enterprise data is always at risk of being compromised; therefore, it has also become a mandate to secure that information by establishing security processes that address the current threat. With these constraints and what seem to be conflicting priorities, it s no wonder that the convergence of security policies and compliance controls has not been seamless. There is hope, however, so let s dig in to explore why Security and Compliance are really counterparts on a shared path to the same business goal. eguide Compliance 101: Basics for Security Professionals 5
Regulations with a Big Bite Organizations need to ensure compliance with all standards and regulations applicable to their industry, keeping in mind that some mandates (e.g. Sarbanes-Oxley) are horizontal in nature. We re highlighting the following five standards and regulations because they have a big bite when it comes enforcement, penalties and remediation. They are also commonly associated with media headlines and the news is typically not good for any organization called out in such reports. FISMA Sarbanes-Oxley eguide Compliance 101: Basics for Security Professionals 6
Payment Card Industry Data Security Standard (PCI DSS) Purpose PCI DSS is designed to ensure the security of cardholder information, and compliance with PCI-DSS is mandatory for all organizations that store, process, and/or transmit major credit cardholder data. This includes all card network members such as banks, merchants and service providers. Established Version 1.0 of the PCI DSS was introduced in December, 2004. Governing Body Payment Card Industry Security Standards Council. Structure 12 major security requirements, broken into six Control Objectives : Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Penalties and other costs resulting from non-compliance Loss of credit card privileges Loss of brand confidence and image Financial loss due to recurring fines and penalties Costs associated with reassessment by the Qualified Security Assessor (QSA) eguide Compliance 101: Basics for Security Professionals 7
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Standards Purpose To ensure the reliability of the North American bulk power system. Established The first set of legally enforceable Reliability Standards was introduced in March, 2007. Governing Body North American Electric Reliability Corporation (non-profit). Structure Consists of 9 standards with 45 requirements. Penalties and other costs resulting from non-compliance Levying of fines, sanctions or other actions against covered entities (specific penalties vary from country to country) The Federal Power Act permits NERC or regional entities to impose civil penalties of up to $1 million per day, per violation, so long as the penalty is proportional to the seriousness of the violation eguide Compliance 101: Basics for Security Professionals 8
Health Insurance Portability and Accountability Act (HIPAA) Purpose To protect the confidentiality and security of patient information. Established August 1996: HIPAA passed into law August, 1998: HIPAA Security and Electronic Signature Standards (subsequently changed to the Security Rule) first released December, 2000: HIPAA Privacy Rule, first released August, 2002: HIPAA Privacy Rule finalized February, 2003: HIPAA Security Rule finalized April, 2003: Privacy Rule compliance deadline (excluding small health plans ) April, 2005: Security Rule compliance deadline (excluding small health plans ) Jan, 2011: Incentives for demonstrating meaningful use of electronic health records started HIPAA Governing Body US Deparment of Health and Human Services (HHS), Office for Civil Rights (OCR). Structure Comprised of the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), which establish national standards for the protection of certain health information; and Security Standards for the Protection of Electronic Protected Health Information (the Security Rule), which establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called covered entities must put in place to secure individuals electronic protected health information (e-phi). Source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html Penalties and other costs resulting from non-compliance Fines of up to $250,000 per violation Civil monetary penalties Criminal penalties, including imprisonment (enforced by the US Department of Justice) Investigations and increased scrutiny in the event of a data loss eguide Compliance 101: Basics for Security Professionals 9
Sarbanes-Oxley Act Purpose To protect shareholders from harm caused by fraudulent and inaccurate financial reporting. Established The Act, named after its sponsors, Senator Paul Sarbanes and Representative Michael Oxley, was passed into law in July, 2002. Sarbanes-Oxley Governing Body The Act resulted in the creation of the Public Company Accounting Oversight Board, which oversees, regulates, inspects and disciplines accounting firms, subject to approval and oversight by the Securities and Exchange Commission. Structure Arranged into 11 Titles, each containing numerous Sections, including Section 802, which covers the management of electronic records. Penalties and other costs resulting from non-compliance Multi-million dollar fines for public corporations; auditor fines of up to $100,000 for individual auditors and $2 million for audit firms Criminal penalties including imprisonment Brand damage eguide Compliance 101: Basics for Security Professionals 10
Federal Information Security Management Act (FISMA) Purpose To strengthen the security of information systems used or operated by US federal government agencies, including contractors or other organizations on behalf of a federal agency. Established Passed into law in December, 2002 (as Title III of the E-Government Act of 2002). FISMA Governing Body The Office of Electronic Government within the U.S. Office of Management and Budget, with Guidance from the National Institutes of Standards (NIST). Structure A series of security standards and guidelines, including the Federal Information Processing Standard Publication 199 (FIPS 199), FIPS 200, NIST Special Publications 800-53, 800-59, 800-60. Penalties and other costs resulting from non-compliance Congressional censure Reduced federal funding Loss of public confidence eguide Compliance 101: Basics for Security Professionals 11
The Fundamentals of Compliance Controls IT security and compliance professionals must ensure continuous compliance with industry standards and regulations, or face undesirable consequences such as fines and brand damage. A compliant state is built on 5 fundamental core controls, which are common across all major regulations and standards. 1. Identify, classify & scope critical business processes 2. Monitor and prevent change 3. Measure, identify and analyze risk 4. Detect and prevent malware 5. Actively enforce policy We ll explore each of these at a high level on the following pages, including a comparison of traditional methods vs. a positive security approach. eguide Compliance 101: Basics for Security Professionals 12
IDENTIFY, CLASSIFY & SCOPE CRITICAL BUSINESS PROCESSES A foundational security control associated with nearly every standard and regulation speaks to inventorying/ identifying/classifying (or insert other applicable verb here) critical data. However it s labeled, this essential control requires the organization to pinpoint where the critical data resides so it can be safeguarded, with auditable proof. Traditional Approach Positive Security Approach Manual process of identifying and classifying files Cumbersome and static, relies on scan-based technologies Real-time sensor provides visibility into what s running at any point in time Continuous monitoring and recording of all endpoint activity, providing details about processes, including where/how they originated and if they created child processes eguide Compliance 101: Basics for Security Professionals 13
MONITOR AND PREVENT CHANGE The next common control covers file integrity and is typically called File Integrity Monitoring or FIM. This essentially requires organizations to ensure that unauthorized changes to critical files, such as operating system and core application files, do not occur. Such a change or attempted change is an indicator of compromise and, therefore, must be taken seriously. Traditional Approach Positive Security Approach Identify and analyze all changes after they ve occurred, potentially resulting in significant administrative burden No easy way to filter authorized changes vs. unauthorized changes, producing a lot of noise for the security team Introduce control (i.e. File Integrity Control), using policy to prevent unauthorized changes from occurring and eliminating the need to do post-event analysis Filter out all irrelevant changes and focus only on changes that are important to security and compliance eguide Compliance 101: Basics for Security Professionals 14
MEASURE, IDENTIFY AND ANALYZE RISK Most standards and regulations require organizations to identify and analyze the compliance risk caused by the introduction of vulnerabilities into the enterprise. This helps organizations understand the impact that these vulnerabilities have on their compliance posture. Traditional Approach Reactive, manual vulnerability classification & remediation, subject to human error Relies on sources such as news groups and other occasionally-updated feeds Positive Security Approach Proactive, automated vulnerability and threat identification based on real-time intelligence Dynamic updating, using cloud-delivered threat and reputation intelligence from dozens of sources Desktops & Laptops Windows & Macs Virtual/Physical Servers Fixed-Function Real-time Updates No Scanning! No Polling! Console { Real-time and Recorded Data Big Data Analytics Open APIs Threat Indicators Visibility: Instant Intelligence All File Modifications All Registry Modifications Copy of Every Executed Binary Threat Intelligence Reputation Attack Classification Detection: Identify Threats All File Executions All Network Connections All Cross-Process Events Cloud-delivered Advanced Threat Indicators (signature-less) Cloud-delivered Attack Attribution Cloud-delivered Reputation eguide Compliance 101: Basics for Security Professionals 15
DETECT AND PREVENT MALWARE Compliance standards and regulations call for the detection and prevention of malware, as the introduction of such files can clearly lead to security and compliance concerns. Regardless of the compliance standard, this requirement is almost universally written identifying anti-virus technologies as the means to ensure compliance. Traditional Approach Positive Security Approach Based on negative, blacklisting type approach Essentially impossible to keep up with the list of known bad file hashes, which changes by the minute Scanning requires heavy use of processing resources Blocks any untrusted processes from executing Does not require updating and maintaining a list of known bad hashes Lightweight sensor uses minimal processing power and does not require constant scanning or frequent endpoint updates eguide Compliance 101: Basics for Security Professionals 16
ACTIVELY ENFORCE POLICY A final common control aims to ensure that the security and compliance policies are pushed out to the entire organization and that each of the stakeholders understands his/her roles and responsibilities under that policy. Traditional Approach Positive Security Approach No audit trail of policy acceptance and testing Often ad-hoc, with no method to enforce compliance Results in increased compliance costs if third party organization is hired Full audit trail of policy awareness Policies are pushed out automatically, with auditable evidence of consumption Can be managed in-house, minimizing compliance costs eguide Compliance 101: Basics for Security Professionals 17
CARBON BLACK COVERS ALL ESSENTIAL COMPLIANCE CONTROLS Provide full visibility of what is running within your enterprise Eliminate the noise associated with FIM - immediately identify the critical changes Gain immediate threat and trust measure across the entire enterprise Eliminate the burden of negative technologies and the maintenance associated Ensure total enforcement, compliance, and audit with security policy P About Carbon Black Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity, making it easy to track an attacker s every action, instantly scope every incident, unravel entire attacks and determine root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to: Disrupt. Defend. Unite. 2016 Carbon Black is a registered trademark of Carbon Black. All other company or product names may be the trademarks of their respective owners. 20160127 MMC 1100 Winter Street Waltham, MA 02451 USA P 617.393.7400 F 617.393.7499 www.carbonblack.com